[MS-ASP]:

ASP.NET State Server Protocol

Intellectual Property Rights Notice for Open Specifications Documentation

§  Technical Documentation. Microsoft publishes Open Specifications documentation for protocols, file formats, languages, standards as well as overviews of the interaction among each of these technologies.

§  Copyrights. This documentation is covered by Microsoft copyrights. Regardless of any other terms that are contained in the terms of use for the Microsoft website that hosts this documentation, you may make copies of it in order to develop implementations of the technologies described in the Open Specifications and may distribute portions of it in your implementations using these technologies or your documentation as necessary to properly document the implementation. You may also distribute in your implementation, with or without modification, any schema, IDL's, or code samples that are included in the documentation. This permission also applies to any documents that are referenced in the Open Specifications.

§  No Trade Secrets. Microsoft does not claim any trade secret rights in this documentation.

§  Patents. Microsoft has patents that may cover your implementations of the technologies described in the Open Specifications. Neither this notice nor Microsoft's delivery of the documentation grants any licenses under those or any other Microsoft patents. However, a given Open Specification may be covered by Microsoft Open Specification Promise or the Community Promise. If you would prefer a written license, or if the technologies described in the Open Specifications are not covered by the Open Specifications Promise or Community Promise, as applicable, patent licenses are available by contacting .

§  Trademarks. The names of companies and products contained in this documentation may be covered by trademarks or similar intellectual property rights. This notice does not grant any licenses under those rights. For a list of Microsoft trademarks, visit www.microsoft.com/trademarks.

§  Fictitious Names. The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in this documentation are fictitious. No association with any real company, organization, product, domain name, email address, logo, person, place, or event is intended or should be inferred.

Reservation of Rights. All other rights are reserved, and this notice does not grant any rights other than specifically described above, whether by implication, estoppel, or otherwise.

Tools. The Open Specifications do not require the use of Microsoft programming tools or programming environments in order for you to develop an implementation. If you have access to Microsoft programming tools and environments you are free to take advantage of them. Certain Open Specifications are intended for use in conjunction with publicly available standard specifications and network programming art, and assumes that the reader either is familiar with the aforementioned material or has immediate access to it.

Revision Summary

Date / Revision History / Revision Class / Comments /
12/18/2006 / 0.1 / Version 0.1 release
3/2/2007 / 1.0 / Version 1.0 release
4/3/2007 / 1.1 / Version 1.1 release
5/11/2007 / 1.2 / Version 1.2 release
6/1/2007 / 1.2.1 / Editorial / Changed language and formatting in the technical content.
7/3/2007 / 1.2.2 / Editorial / Changed language and formatting in the technical content.
7/20/2007 / 1.2.3 / Editorial / Changed language and formatting in the technical content.
8/10/2007 / 1.2.4 / Editorial / Changed language and formatting in the technical content.
9/28/2007 / 2.0 / Major / Updated and revised the technical content.
10/23/2007 / 2.0.1 / Editorial / Changed language and formatting in the technical content.
11/30/2007 / 2.0.2 / Editorial / Changed language and formatting in the technical content.
1/25/2008 / 3.0 / Major / Updated and revised the technical content.
3/14/2008 / 4.0 / Major / Updated and revised the technical content.
5/16/2008 / 4.0.1 / Editorial / Changed language and formatting in the technical content.
6/20/2008 / 4.1 / Minor / Clarified the meaning of the technical content.
7/25/2008 / 4.1.1 / Editorial / Changed language and formatting in the technical content.
8/29/2008 / 4.1.2 / Editorial / Changed language and formatting in the technical content.
10/24/2008 / 5.0 / Major / Updated and revised the technical content.
12/5/2008 / 5.0.1 / Editorial / Changed language and formatting in the technical content.
1/16/2009 / 5.0.2 / Editorial / Changed language and formatting in the technical content.
2/27/2009 / 5.0.3 / Editorial / Changed language and formatting in the technical content.
4/10/2009 / 5.0.4 / Editorial / Changed language and formatting in the technical content.
5/22/2009 / 5.0.5 / Editorial / Changed language and formatting in the technical content.
7/2/2009 / 6.0 / Major / Updated and revised the technical content.
8/14/2009 / 6.0.1 / Editorial / Changed language and formatting in the technical content.
9/25/2009 / 6.1 / Minor / Clarified the meaning of the technical content.
11/6/2009 / 7.0 / Major / Updated and revised the technical content.
12/18/2009 / 7.0.1 / Editorial / Changed language and formatting in the technical content.
1/29/2010 / 7.1 / Minor / Clarified the meaning of the technical content.
3/12/2010 / 7.1.1 / Editorial / Changed language and formatting in the technical content.
4/23/2010 / 7.1.2 / Editorial / Changed language and formatting in the technical content.
6/4/2010 / 7.1.3 / Editorial / Changed language and formatting in the technical content.
7/16/2010 / 8.0 / Major / Updated and revised the technical content.
8/27/2010 / 8.0 / None / No changes to the meaning, language, or formatting of the technical content.
10/8/2010 / 8.0 / None / No changes to the meaning, language, or formatting of the technical content.
11/19/2010 / 8.0 / None / No changes to the meaning, language, or formatting of the technical content.
1/7/2011 / 8.0 / None / No changes to the meaning, language, or formatting of the technical content.
2/11/2011 / 8.0 / None / No changes to the meaning, language, or formatting of the technical content.
3/25/2011 / 8.0 / None / No changes to the meaning, language, or formatting of the technical content.
5/6/2011 / 8.0 / None / No changes to the meaning, language, or formatting of the technical content.
6/17/2011 / 8.1 / Minor / Clarified the meaning of the technical content.
9/23/2011 / 8.1 / None / No changes to the meaning, language, or formatting of the technical content.
12/16/2011 / 9.0 / Major / Updated and revised the technical content.
3/30/2012 / 9.0 / None / No changes to the meaning, language, or formatting of the technical content.
7/12/2012 / 9.0 / None / No changes to the meaning, language, or formatting of the technical content.
10/25/2012 / 9.0 / None / No changes to the meaning, language, or formatting of the technical content.
1/31/2013 / 9.0 / None / No changes to the meaning, language, or formatting of the technical content.
8/8/2013 / 9.0 / None / No changes to the meaning, language, or formatting of the technical content.
11/14/2013 / 9.0 / None / No changes to the meaning, language, or formatting of the technical content.
2/13/2014 / 9.0 / None / No changes to the meaning, language, or formatting of the technical content.
5/15/2014 / 9.0 / None / No changes to the meaning, language, or formatting of the technical content.
6/30/2015 / 10.0 / Major / Significantly changed the technical content.
10/16/2015 / 10.0 / No Change / No changes to the meaning, language, or formatting of the technical content.

Table of Contents

1 Introduction 6

1.1 Glossary 6

1.2 References 7

1.2.1 Normative References 7

1.2.2 Informative References 7

1.3 Overview 7

1.4 Relationship to Other Protocols 8

1.5 Prerequisites/Preconditions 8

1.6 Applicability Statement 8

1.7 Versioning and Capability Negotiation 8

1.8 Vendor-Extensible Fields 8

1.9 Standards Assignments 8

2 Messages 9

2.1 Transport 9

2.2 Message Syntax 9

2.2.1 Common Definitions 9

2.2.1.1 Digit 9

2.2.1.2 Octet 9

2.2.1.3 Carriage Return Line Feed 9

2.2.1.4 Space 9

2.2.1.5 Delimiter 9

2.2.1.6 Stringtext 10

2.2.2 Common HTTP Headers and Fields 10

2.2.2.1 HTTP Version 10

2.2.2.2 Host Header 10

2.2.2.3 Content Length 10

2.2.2.4 Content 10

2.2.3 State Server Headers and Fields 10

2.2.3.1 Application Identifier 10

2.2.3.2 Application Domain Identifier 10

2.2.3.3 Session Identifier 11

2.2.3.4 ASP.NET Version 11

2.2.3.5 Timeout 11

2.2.3.6 Exclusive Lock Acquire 11

2.2.3.7 Exclusive Lock Release 11

2.2.3.8 Lock Date 12

2.2.3.9 Lock Cookie 12

2.2.3.10 Lock Age 12

2.2.3.11 Extra Flags 12

2.2.3.12 Action Flags 13

2.2.3.13 Unique identifier 13

2.2.4 Response Status Codes 13

2.2.4.1 Response Status Code - OK 13

2.2.4.2 Response Status Code - Bad Request 13

2.2.4.3 Response Status Code - Not Found 13

2.2.4.4 Response Status Code - Locked 14

2.2.5 Messages 14

2.2.5.1 Get_Request 14

2.2.5.2 Get_Response 14

2.2.5.3 GetExclusive_Request 15

2.2.5.4 GetExclusive_Response 16

2.2.5.5 Set_Request 16

2.2.5.6 Set_Response 16

2.2.5.7 ReleaseExclusive_Request 17

2.2.5.8 ReleaseExclusive_Response 17

2.2.5.9 Remove_Request 18

2.2.5.10 Remove_Response 18

2.2.5.11 ResetTimeout_Request 18

2.2.5.12 ResetTimeout_Response 19

3 Protocol Details 20

3.1 Server Details 20

3.1.1 Abstract Data Model 20

3.1.2 Timers 20

3.1.3 Initialization 20

3.1.4 Higher-Layer Triggered Events 20

3.1.5 Processing Events and Sequencing Rules 20

3.1.5.1 Processing Non-Exclusive Get Requests 20

3.1.5.2 Processing Exclusive Get Requests 21

3.1.5.3 Saving Session Data with a Set Request 22

3.1.5.4 Releasing an Exclusive Session State Lock 23

3.1.5.5 Removing Session State 23

3.1.5.6 Resetting Session State Time-out 24

3.1.6 Timer Events 24

3.1.7 Other Local Events 24

3.2 Client Details 25

3.2.1 Abstract Data Model 25

3.2.2 Timers 25

3.2.3 Initialization 25

3.2.4 Higher-Layer Triggered Events 25

3.2.5 Processing Events and Sequencing Rules 25

3.2.5.1 Non-Exclusive Get Requests 25

3.2.5.2 Exclusive Get Requests 26

3.2.5.3 Saving Session Data with a Set Request 26

3.2.5.4 Releasing an Exclusive Session State Lock 26

3.2.5.5 Removing Session State 27

3.2.5.6 Resetting Session State Time-out 27

3.2.6 Timer Events 27

3.2.7 Other Local Events 27

4 Protocol Examples 28

5 Security 31

5.1 Security Considerations for Implementers 31

5.2 Index of Security Parameters 31

6 Appendix A: Product Behavior 32

7 Change Tracking 34

8 Index 35

1  Introduction

The ASP.NET State Server Protocol is a contract for transmitting session state data between a client and a state server. This protocol is used for interaction between a client application that requires persistent session state storage, and an out-of-process state server responsible for storing session state. The data that flows between the client application and a state server is transmitted using the Hypertext Transfer Protocol (HTTP).

Sections 1.8, 2, and 3 of this specification are normative and can contain the terms MAY, SHOULD, MUST, MUST NOT, and SHOULD NOT as defined in [RFC2119]. Sections 1.5 and 1.9 are also normative but do not contain those terms. All other sections and examples in this specification are informative.

1.1  Glossary

The following terms are specific to this document:

application domain: A virtual process space within which managed code applications are hosted and executed. It is possible to have multiple managed code applications running inside a single process. Each managed code application runs within its own application domain and is isolated from other applications that are running in separate application domains. An application domain has a unique identifier used as part of the identifying key on a state server when storing and retrieving session data.

ASP.NET: A web server technology for dynamically rendering HTML pages using a combination of HTML, Javascript, CSS, and server-side logic. For more information, see [ASPNET].

ASP.NET state server: A Windows service that provides a default server implementation of the ASP.NET State Server Protocol. When the service is enabled on a computer, that computer can act as a state server. The state server accepts requests to load, store, delete, and temporarily lock Session state items.

Hypertext Transfer Protocol (HTTP): An application-level protocol for distributed, collaborative, hypermedia information systems (text, graphic images, sound, video, and other multimedia files) on the World Wide Web.

session state: In ASP.NET, a variable store on a server for storing and retrieving values for a user while the user navigates ASP.NET pages in a web application. Session state is typically used to store user-specific information between postbacks. Each user maintains a separate session state on the server.

Uniform Resource Locator (URL): A string of characters in a standardized format that identifies a document or resource on the World Wide Web. The format is as specified in [RFC1738].

user session identifier: A unique identifier used as part of the identifying key when storing and retrieving session data.

web application identifier: Each ASP.NET application running on a web server is uniquely identified with a web application identifier. The web application identifier is the virtual path of the web application on the web server. A web application identifier is used as part of the identifying key on a state server when storing and retrieving session data for a specific browser session.

MAY, SHOULD, MUST, SHOULD NOT, MUST NOT: These terms (in all caps) are used as defined in [RFC2119]. All statements of optional behavior use either MAY, SHOULD, or SHOULD NOT.

1.2  References

Links to a document in the Microsoft Open Specifications library point to the correct section in the most recently published version of the referenced document. However, because individual documents in the library are not updated at the same time, the section numbers in the documents may not match. You can confirm the correct section numbering by checking the Errata.

1.2.1  Normative References

We conduct frequent surveys of the normative references to assure their continued availability. If you have any issue with finding a normative reference, please contact . We will assist you in finding the relevant information.

[RFC1738] Berners-Lee, T., Masinter, L., and McCahill, M., Eds., "Uniform Resource Locators (URL)", RFC 1738, December 1994, http://www.ietf.org/rfc/rfc1738.txt

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997, http://www.rfc-editor.org/rfc/rfc2119.txt

[RFC2396] Berners-Lee, T., Fielding, R., and Masinter, L., "Uniform Resource Identifiers (URI): Generic Syntax", RFC 2396, August 1998, http://www.rfc-editor.org/rfc/rfc2396.txt

[RFC2616] Fielding, R., Gettys, J., Mogul, J., et al., "Hypertext Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999, http://www.rfc-editor.org/rfc/rfc2616.txt